9

I have a small function that is given a struct as parameters. The struct looks to something like this:

struct my_struct {
  short a;
  unsigned int b;
  unsigned int c;
};

Taking care of the alignment I build the following struct in IDA:

field_0 +0x0
field_1 +0x4
field_2 +0x8

The compiler builds it so that it takes rbp+0x10 as the first field in the struct, rbp+0x14 as the second and so on. The problem now arises because if I try to apply the pre-defined IDA struct to the instructions, I always get something like [rbp+struct.field_0+0x10]. This get more complicated if there is actually something in my struct at +0x10, because then it just shows [rbp+struct_fieldX] (which is wrong).

The question is: Is there a way to tell IDA (I'm using 6.3) to apply the struct with an offset of 0x10?

The dirty trick for this simple case is to create a struct that has 2 size_t dummy fields for the RIP and SFP, but that does not seem to be right way to go here.

perror
  • 19,083
  • 29
  • 87
  • 150
sqrtsben
  • 330
  • 2
  • 6

1 Answers1

8

Add your struct in the function's stack view:

  1. With your cursor in the function's disassembly view, press Ctrl+K to open the stack view.
  2. In the stack view, ensure that enough function arguments exist to get to at least +00000010 in the stack. Use D to add more function arguments as necessary.
  3. Position your cursor on the +00000010 line in the stack view and press Alt+Q to specify my_struct at that offset.
Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
  • 1
    Note for emphasis: During step three, you must be on the stack view. If you place your cursor on the corresponding local variable in IDA view and press Alt+Q, IDA will try to interpret the contents of the function as a structure, rather than the variable, which destroys the function. This is a mistake I see people make pretty often when learning structures in IDA. – user1354557 Oct 27 '14 at 20:53